Major computer security bug threatens thousands of devices

Thousands of apps and hardware devices could be at risk from a recently discovered computer security vulnerability.

Disclosing the bug in its online security blog on Tuesday (Feb 16), Google said a flaw in some commonly-used code could be manipulated to grant remote access to devices - whether it is a computer, internet router or a piece of equipment connected to the Internet.

The BBC reported that the code can also be within many of the so-called "building blocks' of the web - programming languages such as PHP and Python are affected, as well as systems used when logging in to websites or accessing e-mail.

Speaking to the BBC, Washington DC-based security researcher Kenneth White said it was not a "sky-is-falling scenario" but warned that hackers would almost certainly attempt to exploit the weakness.

"It's true there's a very real prospect that a sizable portion of internet-facing services are at risk for hackers to crash, or worse, run remote code to attack others."

The bug, indexed as CVE-2015-7547, can be found in glibc - an open-source library of code widely used in Internet-connected devices - and was discovered as early as July last year.

Google has since worked with open source solutions provider Red Hat to release a patch that will fix the problem.

The BBC cited the example of a domain look-up, when a device converts a web domain and finds its corresponding IP address so it can access the website or service needed.

The domain look-up code in glibc contains the bug that allows hackers to maliciously implant code within a device's memory, paving the way for attacks such as remote execution, where a device is controlled over the web.

While Google said it is hard to exploit the flaw, its engineers have found out how to do so. It did not release the exploit code.

The scale of the problem is difficult to gauge as it is not clear how many devices and systems make use of the glibc code.

Major systems such as Windows or OS X are not affected, but Professor Alan Woodward, a security expect from the University of Surrey, told the BBC that consumers should be concerned about smaller connected devices.

"Think routers and increasingly anything considered part of the 'Internet of Things'," said Prof Woodward.

The Straits Times

We have been experiencing some problems with subscriber log-ins and apologise for the inconvenience caused. Until we resolve the issues, subscribers need not log in to access ST Digital articles. But a log-in is still required for our PDFs.